Maintainers.txt: Update email address
[mirror_edk2.git] / CryptoPkg / Library / TlsLib / TlsConfig.c
1 /** @file
2 SSL/TLS Configuration Library Wrapper Implementation over OpenSSL.
3
4 Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
5 (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
6 SPDX-License-Identifier: BSD-2-Clause-Patent
7
8 **/
9
10 #include "InternalTlsLib.h"
11
12 typedef struct {
13 //
14 // IANA/IETF defined Cipher Suite ID
15 //
16 UINT16 IanaCipher;
17 //
18 // OpenSSL-used Cipher Suite String
19 //
20 CONST CHAR8 *OpensslCipher;
21 //
22 // Length of OpensslCipher
23 //
24 UINTN OpensslCipherLength;
25 } TLS_CIPHER_MAPPING;
26
27 //
28 // Create a TLS_CIPHER_MAPPING initializer from IanaCipher and OpensslCipher so
29 // that OpensslCipherLength is filled in automatically. IanaCipher must be an
30 // integer constant expression, and OpensslCipher must be a string literal.
31 //
32 #define MAP(IanaCipher, OpensslCipher) \
33 { (IanaCipher), (OpensslCipher), sizeof (OpensslCipher) - 1 }
34
35 //
36 // The mapping table between IANA/IETF Cipher Suite definitions and
37 // OpenSSL-used Cipher Suite name.
38 //
39 // Keep the table uniquely sorted by the IanaCipher field, in increasing order.
40 //
41 STATIC CONST TLS_CIPHER_MAPPING TlsCipherMappingTable[] = {
42 MAP (0x0001, "NULL-MD5"), /// TLS_RSA_WITH_NULL_MD5
43 MAP (0x0002, "NULL-SHA"), /// TLS_RSA_WITH_NULL_SHA
44 MAP (0x0004, "RC4-MD5"), /// TLS_RSA_WITH_RC4_128_MD5
45 MAP (0x0005, "RC4-SHA"), /// TLS_RSA_WITH_RC4_128_SHA
46 MAP (0x000A, "DES-CBC3-SHA"), /// TLS_RSA_WITH_3DES_EDE_CBC_SHA, mandatory TLS 1.1
47 MAP (0x0016, "DHE-RSA-DES-CBC3-SHA"), /// TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
48 MAP (0x002F, "AES128-SHA"), /// TLS_RSA_WITH_AES_128_CBC_SHA, mandatory TLS 1.2
49 MAP (0x0030, "DH-DSS-AES128-SHA"), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA
50 MAP (0x0031, "DH-RSA-AES128-SHA"), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA
51 MAP (0x0033, "DHE-RSA-AES128-SHA"), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA
52 MAP (0x0035, "AES256-SHA"), /// TLS_RSA_WITH_AES_256_CBC_SHA
53 MAP (0x0036, "DH-DSS-AES256-SHA"), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA
54 MAP (0x0037, "DH-RSA-AES256-SHA"), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA
55 MAP (0x0039, "DHE-RSA-AES256-SHA"), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA
56 MAP (0x003B, "NULL-SHA256"), /// TLS_RSA_WITH_NULL_SHA256
57 MAP (0x003C, "AES128-SHA256"), /// TLS_RSA_WITH_AES_128_CBC_SHA256
58 MAP (0x003D, "AES256-SHA256"), /// TLS_RSA_WITH_AES_256_CBC_SHA256
59 MAP (0x003E, "DH-DSS-AES128-SHA256"), /// TLS_DH_DSS_WITH_AES_128_CBC_SHA256
60 MAP (0x003F, "DH-RSA-AES128-SHA256"), /// TLS_DH_RSA_WITH_AES_128_CBC_SHA256
61 MAP (0x0067, "DHE-RSA-AES128-SHA256"), /// TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
62 MAP (0x0068, "DH-DSS-AES256-SHA256"), /// TLS_DH_DSS_WITH_AES_256_CBC_SHA256
63 MAP (0x0069, "DH-RSA-AES256-SHA256"), /// TLS_DH_RSA_WITH_AES_256_CBC_SHA256
64 MAP (0x006B, "DHE-RSA-AES256-SHA256"), /// TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
65 };
66
67 /**
68 Gets the OpenSSL cipher suite mapping for the supplied IANA TLS cipher suite.
69
70 @param[in] CipherId The supplied IANA TLS cipher suite ID.
71
72 @return The corresponding OpenSSL cipher suite mapping if found,
73 NULL otherwise.
74
75 **/
76 STATIC
77 CONST TLS_CIPHER_MAPPING *
78 TlsGetCipherMapping (
79 IN UINT16 CipherId
80 )
81 {
82 INTN Left;
83 INTN Right;
84 INTN Middle;
85
86 //
87 // Binary Search Cipher Mapping Table for IANA-OpenSSL Cipher Translation
88 //
89 Left = 0;
90 Right = ARRAY_SIZE (TlsCipherMappingTable) - 1;
91
92 while (Right >= Left) {
93 Middle = (Left + Right) / 2;
94
95 if (CipherId == TlsCipherMappingTable[Middle].IanaCipher) {
96 //
97 // Translate IANA cipher suite ID to OpenSSL name.
98 //
99 return &TlsCipherMappingTable[Middle];
100 }
101
102 if (CipherId < TlsCipherMappingTable[Middle].IanaCipher) {
103 Right = Middle - 1;
104 } else {
105 Left = Middle + 1;
106 }
107 }
108
109 //
110 // No Cipher Mapping found, return NULL.
111 //
112 return NULL;
113 }
114
115 /**
116 Set a new TLS/SSL method for a particular TLS object.
117
118 This function sets a new TLS/SSL method for a particular TLS object.
119
120 @param[in] Tls Pointer to a TLS object.
121 @param[in] MajorVer Major Version of TLS/SSL Protocol.
122 @param[in] MinorVer Minor Version of TLS/SSL Protocol.
123
124 @retval EFI_SUCCESS The TLS/SSL method was set successfully.
125 @retval EFI_INVALID_PARAMETER The parameter is invalid.
126 @retval EFI_UNSUPPORTED Unsupported TLS/SSL method.
127
128 **/
129 EFI_STATUS
130 EFIAPI
131 TlsSetVersion (
132 IN VOID *Tls,
133 IN UINT8 MajorVer,
134 IN UINT8 MinorVer
135 )
136 {
137 TLS_CONNECTION *TlsConn;
138 UINT16 ProtoVersion;
139
140 TlsConn = (TLS_CONNECTION *)Tls;
141 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL)) {
142 return EFI_INVALID_PARAMETER;
143 }
144
145 ProtoVersion = (MajorVer << 8) | MinorVer;
146
147 //
148 // Bound TLS method to the particular specified version.
149 //
150 switch (ProtoVersion) {
151 case TLS1_VERSION:
152 //
153 // TLS 1.0
154 //
155 SSL_set_min_proto_version (TlsConn->Ssl, TLS1_VERSION);
156 SSL_set_max_proto_version (TlsConn->Ssl, TLS1_VERSION);
157 break;
158 case TLS1_1_VERSION:
159 //
160 // TLS 1.1
161 //
162 SSL_set_min_proto_version (TlsConn->Ssl, TLS1_1_VERSION);
163 SSL_set_max_proto_version (TlsConn->Ssl, TLS1_1_VERSION);
164 break;
165 case TLS1_2_VERSION:
166 //
167 // TLS 1.2
168 //
169 SSL_set_min_proto_version (TlsConn->Ssl, TLS1_2_VERSION);
170 SSL_set_max_proto_version (TlsConn->Ssl, TLS1_2_VERSION);
171 break;
172 default:
173 //
174 // Unsupported Protocol Version
175 //
176 return EFI_UNSUPPORTED;
177 }
178
179 return EFI_SUCCESS;
180 }
181
182 /**
183 Set TLS object to work in client or server mode.
184
185 This function prepares a TLS object to work in client or server mode.
186
187 @param[in] Tls Pointer to a TLS object.
188 @param[in] IsServer Work in server mode.
189
190 @retval EFI_SUCCESS The TLS/SSL work mode was set successfully.
191 @retval EFI_INVALID_PARAMETER The parameter is invalid.
192 @retval EFI_UNSUPPORTED Unsupported TLS/SSL work mode.
193
194 **/
195 EFI_STATUS
196 EFIAPI
197 TlsSetConnectionEnd (
198 IN VOID *Tls,
199 IN BOOLEAN IsServer
200 )
201 {
202 TLS_CONNECTION *TlsConn;
203
204 TlsConn = (TLS_CONNECTION *)Tls;
205 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL)) {
206 return EFI_INVALID_PARAMETER;
207 }
208
209 if (!IsServer) {
210 //
211 // Set TLS to work in Client mode.
212 //
213 SSL_set_connect_state (TlsConn->Ssl);
214 } else {
215 //
216 // Set TLS to work in Server mode.
217 // It is unsupported for UEFI version currently.
218 //
219 // SSL_set_accept_state (TlsConn->Ssl);
220 return EFI_UNSUPPORTED;
221 }
222
223 return EFI_SUCCESS;
224 }
225
226 /**
227 Set the ciphers list to be used by the TLS object.
228
229 This function sets the ciphers for use by a specified TLS object.
230
231 @param[in] Tls Pointer to a TLS object.
232 @param[in] CipherId Array of UINT16 cipher identifiers. Each UINT16
233 cipher identifier comes from the TLS Cipher Suite
234 Registry of the IANA, interpreting Byte1 and Byte2
235 in network (big endian) byte order.
236 @param[in] CipherNum The number of cipher in the list.
237
238 @retval EFI_SUCCESS The ciphers list was set successfully.
239 @retval EFI_INVALID_PARAMETER The parameter is invalid.
240 @retval EFI_UNSUPPORTED No supported TLS cipher was found in CipherId.
241 @retval EFI_OUT_OF_RESOURCES Memory allocation failed.
242
243 **/
244 EFI_STATUS
245 EFIAPI
246 TlsSetCipherList (
247 IN VOID *Tls,
248 IN UINT16 *CipherId,
249 IN UINTN CipherNum
250 )
251 {
252 TLS_CONNECTION *TlsConn;
253 EFI_STATUS Status;
254 CONST TLS_CIPHER_MAPPING **MappedCipher;
255 UINTN MappedCipherBytes;
256 UINTN MappedCipherCount;
257 UINTN CipherStringSize;
258 UINTN Index;
259 CONST TLS_CIPHER_MAPPING *Mapping;
260 CHAR8 *CipherString;
261 CHAR8 *CipherStringPosition;
262
263 TlsConn = (TLS_CONNECTION *)Tls;
264 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (CipherId == NULL)) {
265 return EFI_INVALID_PARAMETER;
266 }
267
268 //
269 // Allocate the MappedCipher array for recording the mappings that we find
270 // for the input IANA identifiers in CipherId.
271 //
272 Status = SafeUintnMult (
273 CipherNum,
274 sizeof (*MappedCipher),
275 &MappedCipherBytes
276 );
277 if (EFI_ERROR (Status)) {
278 return EFI_OUT_OF_RESOURCES;
279 }
280
281 MappedCipher = AllocatePool (MappedCipherBytes);
282 if (MappedCipher == NULL) {
283 return EFI_OUT_OF_RESOURCES;
284 }
285
286 //
287 // Map the cipher IDs, and count the number of bytes for the full
288 // CipherString.
289 //
290 MappedCipherCount = 0;
291 CipherStringSize = 0;
292 for (Index = 0; Index < CipherNum; Index++) {
293 //
294 // Look up the IANA-to-OpenSSL mapping.
295 //
296 Mapping = TlsGetCipherMapping (CipherId[Index]);
297 if (Mapping == NULL) {
298 DEBUG ((
299 DEBUG_VERBOSE,
300 "%a:%a: skipping CipherId=0x%04x\n",
301 gEfiCallerBaseName,
302 __FUNCTION__,
303 CipherId[Index]
304 ));
305 //
306 // Skipping the cipher is valid because CipherId is an ordered
307 // preference list of ciphers, thus we can filter it as long as we
308 // don't change the relative order of elements on it.
309 //
310 continue;
311 }
312
313 //
314 // Accumulate Mapping->OpensslCipherLength into CipherStringSize. If this
315 // is not the first successful mapping, account for a colon (":") prefix
316 // too.
317 //
318 if (MappedCipherCount > 0) {
319 Status = SafeUintnAdd (CipherStringSize, 1, &CipherStringSize);
320 if (EFI_ERROR (Status)) {
321 Status = EFI_OUT_OF_RESOURCES;
322 goto FreeMappedCipher;
323 }
324 }
325
326 Status = SafeUintnAdd (
327 CipherStringSize,
328 Mapping->OpensslCipherLength,
329 &CipherStringSize
330 );
331 if (EFI_ERROR (Status)) {
332 Status = EFI_OUT_OF_RESOURCES;
333 goto FreeMappedCipher;
334 }
335
336 //
337 // Record the mapping.
338 //
339 MappedCipher[MappedCipherCount++] = Mapping;
340 }
341
342 //
343 // Verify that at least one IANA cipher ID could be mapped; account for the
344 // terminating NUL character in CipherStringSize; allocate CipherString.
345 //
346 if (MappedCipherCount == 0) {
347 DEBUG ((
348 DEBUG_ERROR,
349 "%a:%a: no CipherId could be mapped\n",
350 gEfiCallerBaseName,
351 __FUNCTION__
352 ));
353 Status = EFI_UNSUPPORTED;
354 goto FreeMappedCipher;
355 }
356
357 Status = SafeUintnAdd (CipherStringSize, 1, &CipherStringSize);
358 if (EFI_ERROR (Status)) {
359 Status = EFI_OUT_OF_RESOURCES;
360 goto FreeMappedCipher;
361 }
362
363 CipherString = AllocatePool (CipherStringSize);
364 if (CipherString == NULL) {
365 Status = EFI_OUT_OF_RESOURCES;
366 goto FreeMappedCipher;
367 }
368
369 //
370 // Go over the collected mappings and populate CipherString.
371 //
372 CipherStringPosition = CipherString;
373 for (Index = 0; Index < MappedCipherCount; Index++) {
374 Mapping = MappedCipher[Index];
375 //
376 // Append the colon (":") prefix except for the first mapping, then append
377 // Mapping->OpensslCipher.
378 //
379 if (Index > 0) {
380 *(CipherStringPosition++) = ':';
381 }
382
383 CopyMem (
384 CipherStringPosition,
385 Mapping->OpensslCipher,
386 Mapping->OpensslCipherLength
387 );
388 CipherStringPosition += Mapping->OpensslCipherLength;
389 }
390
391 //
392 // NUL-terminate CipherString.
393 //
394 *(CipherStringPosition++) = '\0';
395 ASSERT (CipherStringPosition == CipherString + CipherStringSize);
396
397 //
398 // Log CipherString for debugging. CipherString can be very long if the
399 // caller provided a large CipherId array, so log CipherString in segments of
400 // 79 non-newline characters. (MAX_DEBUG_MESSAGE_LENGTH is usually 0x100 in
401 // DebugLib instances.)
402 //
403 DEBUG_CODE_BEGIN ();
404 UINTN FullLength;
405 UINTN SegmentLength;
406
407 FullLength = CipherStringSize - 1;
408 DEBUG ((
409 DEBUG_VERBOSE,
410 "%a:%a: CipherString={\n",
411 gEfiCallerBaseName,
412 __FUNCTION__
413 ));
414 for (CipherStringPosition = CipherString;
415 CipherStringPosition < CipherString + FullLength;
416 CipherStringPosition += SegmentLength)
417 {
418 SegmentLength = FullLength - (CipherStringPosition - CipherString);
419 if (SegmentLength > 79) {
420 SegmentLength = 79;
421 }
422
423 DEBUG ((DEBUG_VERBOSE, "%.*a\n", SegmentLength, CipherStringPosition));
424 }
425
426 DEBUG ((DEBUG_VERBOSE, "}\n"));
427 //
428 // Restore the pre-debug value of CipherStringPosition by skipping over the
429 // trailing NUL.
430 //
431 CipherStringPosition++;
432 ASSERT (CipherStringPosition == CipherString + CipherStringSize);
433 DEBUG_CODE_END ();
434
435 //
436 // Sets the ciphers for use by the Tls object.
437 //
438 if (SSL_set_cipher_list (TlsConn->Ssl, CipherString) <= 0) {
439 Status = EFI_UNSUPPORTED;
440 goto FreeCipherString;
441 }
442
443 Status = EFI_SUCCESS;
444
445 FreeCipherString:
446 FreePool (CipherString);
447
448 FreeMappedCipher:
449 FreePool (MappedCipher);
450
451 return Status;
452 }
453
454 /**
455 Set the compression method for TLS/SSL operations.
456
457 This function handles TLS/SSL integrated compression methods.
458
459 @param[in] CompMethod The compression method ID.
460
461 @retval EFI_SUCCESS The compression method for the communication was
462 set successfully.
463 @retval EFI_UNSUPPORTED Unsupported compression method.
464
465 **/
466 EFI_STATUS
467 EFIAPI
468 TlsSetCompressionMethod (
469 IN UINT8 CompMethod
470 )
471 {
472 COMP_METHOD *Cm;
473 INTN Ret;
474
475 Cm = NULL;
476 Ret = 0;
477
478 if (CompMethod == 0) {
479 //
480 // TLS defines one standard compression method, CompressionMethod.null (0),
481 // which specifies that data exchanged via the record protocol will not be compressed.
482 // So, return EFI_SUCCESS directly (RFC 3749).
483 //
484 return EFI_SUCCESS;
485 } else if (CompMethod == 1) {
486 Cm = COMP_zlib ();
487 } else {
488 return EFI_UNSUPPORTED;
489 }
490
491 //
492 // Adds the compression method to the list of available
493 // compression methods.
494 //
495 Ret = SSL_COMP_add_compression_method (CompMethod, Cm);
496 if (Ret != 0) {
497 return EFI_UNSUPPORTED;
498 }
499
500 return EFI_SUCCESS;
501 }
502
503 /**
504 Set peer certificate verification mode for the TLS connection.
505
506 This function sets the verification mode flags for the TLS connection.
507
508 @param[in] Tls Pointer to the TLS object.
509 @param[in] VerifyMode A set of logically or'ed verification mode flags.
510
511 **/
512 VOID
513 EFIAPI
514 TlsSetVerify (
515 IN VOID *Tls,
516 IN UINT32 VerifyMode
517 )
518 {
519 TLS_CONNECTION *TlsConn;
520
521 TlsConn = (TLS_CONNECTION *)Tls;
522 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL)) {
523 return;
524 }
525
526 //
527 // Set peer certificate verification parameters with NULL callback.
528 //
529 SSL_set_verify (TlsConn->Ssl, VerifyMode, NULL);
530 }
531
532 /**
533 Set the specified host name to be verified.
534
535 @param[in] Tls Pointer to the TLS object.
536 @param[in] Flags The setting flags during the validation.
537 @param[in] HostName The specified host name to be verified.
538
539 @retval EFI_SUCCESS The HostName setting was set successfully.
540 @retval EFI_INVALID_PARAMETER The parameter is invalid.
541 @retval EFI_ABORTED Invalid HostName setting.
542
543 **/
544 EFI_STATUS
545 EFIAPI
546 TlsSetVerifyHost (
547 IN VOID *Tls,
548 IN UINT32 Flags,
549 IN CHAR8 *HostName
550 )
551 {
552 TLS_CONNECTION *TlsConn;
553 X509_VERIFY_PARAM *VerifyParam;
554 UINTN BinaryAddressSize;
555 UINT8 BinaryAddress[MAX (NS_INADDRSZ, NS_IN6ADDRSZ)];
556 INTN ParamStatus;
557
558 TlsConn = (TLS_CONNECTION *)Tls;
559 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (HostName == NULL)) {
560 return EFI_INVALID_PARAMETER;
561 }
562
563 SSL_set_hostflags (TlsConn->Ssl, Flags);
564
565 VerifyParam = SSL_get0_param (TlsConn->Ssl);
566 ASSERT (VerifyParam != NULL);
567
568 BinaryAddressSize = 0;
569 if (inet_pton (AF_INET6, HostName, BinaryAddress) == 1) {
570 BinaryAddressSize = NS_IN6ADDRSZ;
571 } else if (inet_pton (AF_INET, HostName, BinaryAddress) == 1) {
572 BinaryAddressSize = NS_INADDRSZ;
573 }
574
575 if (BinaryAddressSize > 0) {
576 DEBUG ((
577 DEBUG_VERBOSE,
578 "%a:%a: parsed \"%a\" as an IPv%c address "
579 "literal\n",
580 gEfiCallerBaseName,
581 __FUNCTION__,
582 HostName,
583 (UINTN)((BinaryAddressSize == NS_IN6ADDRSZ) ? '6' : '4')
584 ));
585 ParamStatus = X509_VERIFY_PARAM_set1_ip (
586 VerifyParam,
587 BinaryAddress,
588 BinaryAddressSize
589 );
590 } else {
591 ParamStatus = X509_VERIFY_PARAM_set1_host (VerifyParam, HostName, 0);
592 }
593
594 return (ParamStatus == 1) ? EFI_SUCCESS : EFI_ABORTED;
595 }
596
597 /**
598 Sets a TLS/SSL session ID to be used during TLS/SSL connect.
599
600 This function sets a session ID to be used when the TLS/SSL connection is
601 to be established.
602
603 @param[in] Tls Pointer to the TLS object.
604 @param[in] SessionId Session ID data used for session resumption.
605 @param[in] SessionIdLen Length of Session ID in bytes.
606
607 @retval EFI_SUCCESS Session ID was set successfully.
608 @retval EFI_INVALID_PARAMETER The parameter is invalid.
609 @retval EFI_UNSUPPORTED No available session for ID setting.
610
611 **/
612 EFI_STATUS
613 EFIAPI
614 TlsSetSessionId (
615 IN VOID *Tls,
616 IN UINT8 *SessionId,
617 IN UINT16 SessionIdLen
618 )
619 {
620 TLS_CONNECTION *TlsConn;
621 SSL_SESSION *Session;
622
623 TlsConn = (TLS_CONNECTION *)Tls;
624 Session = NULL;
625
626 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (SessionId == NULL)) {
627 return EFI_INVALID_PARAMETER;
628 }
629
630 Session = SSL_get_session (TlsConn->Ssl);
631 if (Session == NULL) {
632 return EFI_UNSUPPORTED;
633 }
634
635 SSL_SESSION_set1_id (Session, (const unsigned char *)SessionId, SessionIdLen);
636
637 return EFI_SUCCESS;
638 }
639
640 /**
641 Adds the CA to the cert store when requesting Server or Client authentication.
642
643 This function adds the CA certificate to the list of CAs when requesting
644 Server or Client authentication for the chosen TLS connection.
645
646 @param[in] Tls Pointer to the TLS object.
647 @param[in] Data Pointer to the data buffer of a DER-encoded binary
648 X.509 certificate or PEM-encoded X.509 certificate.
649 @param[in] DataSize The size of data buffer in bytes.
650
651 @retval EFI_SUCCESS The operation succeeded.
652 @retval EFI_INVALID_PARAMETER The parameter is invalid.
653 @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.
654 @retval EFI_ABORTED Invalid X.509 certificate.
655
656 **/
657 EFI_STATUS
658 EFIAPI
659 TlsSetCaCertificate (
660 IN VOID *Tls,
661 IN VOID *Data,
662 IN UINTN DataSize
663 )
664 {
665 BIO *BioCert;
666 X509 *Cert;
667 X509_STORE *X509Store;
668 EFI_STATUS Status;
669 TLS_CONNECTION *TlsConn;
670 SSL_CTX *SslCtx;
671 INTN Ret;
672 UINTN ErrorCode;
673
674 BioCert = NULL;
675 Cert = NULL;
676 X509Store = NULL;
677 Status = EFI_SUCCESS;
678 TlsConn = (TLS_CONNECTION *)Tls;
679 Ret = 0;
680
681 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize == 0)) {
682 return EFI_INVALID_PARAMETER;
683 }
684
685 //
686 // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.
687 // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.
688 //
689 Cert = d2i_X509 (NULL, (const unsigned char **)&Data, (long)DataSize);
690 if (Cert == NULL) {
691 //
692 // Certificate is from PEM encoding.
693 //
694 BioCert = BIO_new (BIO_s_mem ());
695 if (BioCert == NULL) {
696 Status = EFI_OUT_OF_RESOURCES;
697 goto ON_EXIT;
698 }
699
700 if (BIO_write (BioCert, Data, (UINT32)DataSize) <= 0) {
701 Status = EFI_ABORTED;
702 goto ON_EXIT;
703 }
704
705 Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);
706 if (Cert == NULL) {
707 Status = EFI_ABORTED;
708 goto ON_EXIT;
709 }
710 }
711
712 SslCtx = SSL_get_SSL_CTX (TlsConn->Ssl);
713 X509Store = SSL_CTX_get_cert_store (SslCtx);
714 if (X509Store == NULL) {
715 Status = EFI_ABORTED;
716 goto ON_EXIT;
717 }
718
719 //
720 // Add certificate to X509 store
721 //
722 Ret = X509_STORE_add_cert (X509Store, Cert);
723 if (Ret != 1) {
724 ErrorCode = ERR_peek_last_error ();
725 //
726 // Ignore "already in table" errors
727 //
728 if (!((ERR_GET_FUNC (ErrorCode) == X509_F_X509_STORE_ADD_CERT) &&
729 (ERR_GET_REASON (ErrorCode) == X509_R_CERT_ALREADY_IN_HASH_TABLE)))
730 {
731 Status = EFI_ABORTED;
732 goto ON_EXIT;
733 }
734 }
735
736 ON_EXIT:
737 if (BioCert != NULL) {
738 BIO_free (BioCert);
739 }
740
741 if (Cert != NULL) {
742 X509_free (Cert);
743 }
744
745 return Status;
746 }
747
748 /**
749 Loads the local public certificate into the specified TLS object.
750
751 This function loads the X.509 certificate into the specified TLS object
752 for TLS negotiation.
753
754 @param[in] Tls Pointer to the TLS object.
755 @param[in] Data Pointer to the data buffer of a DER-encoded binary
756 X.509 certificate or PEM-encoded X.509 certificate.
757 @param[in] DataSize The size of data buffer in bytes.
758
759 @retval EFI_SUCCESS The operation succeeded.
760 @retval EFI_INVALID_PARAMETER The parameter is invalid.
761 @retval EFI_OUT_OF_RESOURCES Required resources could not be allocated.
762 @retval EFI_ABORTED Invalid X.509 certificate.
763
764 **/
765 EFI_STATUS
766 EFIAPI
767 TlsSetHostPublicCert (
768 IN VOID *Tls,
769 IN VOID *Data,
770 IN UINTN DataSize
771 )
772 {
773 BIO *BioCert;
774 X509 *Cert;
775 EFI_STATUS Status;
776 TLS_CONNECTION *TlsConn;
777
778 BioCert = NULL;
779 Cert = NULL;
780 Status = EFI_SUCCESS;
781 TlsConn = (TLS_CONNECTION *)Tls;
782
783 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize == 0)) {
784 return EFI_INVALID_PARAMETER;
785 }
786
787 //
788 // DER-encoded binary X.509 certificate or PEM-encoded X.509 certificate.
789 // Determine whether certificate is from DER encoding, if so, translate it to X509 structure.
790 //
791 Cert = d2i_X509 (NULL, (const unsigned char **)&Data, (long)DataSize);
792 if (Cert == NULL) {
793 //
794 // Certificate is from PEM encoding.
795 //
796 BioCert = BIO_new (BIO_s_mem ());
797 if (BioCert == NULL) {
798 Status = EFI_OUT_OF_RESOURCES;
799 goto ON_EXIT;
800 }
801
802 if (BIO_write (BioCert, Data, (UINT32)DataSize) <= 0) {
803 Status = EFI_ABORTED;
804 goto ON_EXIT;
805 }
806
807 Cert = PEM_read_bio_X509 (BioCert, NULL, NULL, NULL);
808 if (Cert == NULL) {
809 Status = EFI_ABORTED;
810 goto ON_EXIT;
811 }
812 }
813
814 if (SSL_use_certificate (TlsConn->Ssl, Cert) != 1) {
815 Status = EFI_ABORTED;
816 goto ON_EXIT;
817 }
818
819 ON_EXIT:
820 if (BioCert != NULL) {
821 BIO_free (BioCert);
822 }
823
824 if (Cert != NULL) {
825 X509_free (Cert);
826 }
827
828 return Status;
829 }
830
831 /**
832 Adds the local private key to the specified TLS object.
833
834 This function adds the local private key (PEM-encoded RSA or PKCS#8 private
835 key) into the specified TLS object for TLS negotiation.
836
837 @param[in] Tls Pointer to the TLS object.
838 @param[in] Data Pointer to the data buffer of a PEM-encoded RSA
839 or PKCS#8 private key.
840 @param[in] DataSize The size of data buffer in bytes.
841
842 @retval EFI_SUCCESS The operation succeeded.
843 @retval EFI_UNSUPPORTED This function is not supported.
844 @retval EFI_ABORTED Invalid private key data.
845
846 **/
847 EFI_STATUS
848 EFIAPI
849 TlsSetHostPrivateKey (
850 IN VOID *Tls,
851 IN VOID *Data,
852 IN UINTN DataSize
853 )
854 {
855 return EFI_UNSUPPORTED;
856 }
857
858 /**
859 Adds the CA-supplied certificate revocation list for certificate validation.
860
861 This function adds the CA-supplied certificate revocation list data for
862 certificate validity checking.
863
864 @param[in] Data Pointer to the data buffer of a DER-encoded CRL data.
865 @param[in] DataSize The size of data buffer in bytes.
866
867 @retval EFI_SUCCESS The operation succeeded.
868 @retval EFI_UNSUPPORTED This function is not supported.
869 @retval EFI_ABORTED Invalid CRL data.
870
871 **/
872 EFI_STATUS
873 EFIAPI
874 TlsSetCertRevocationList (
875 IN VOID *Data,
876 IN UINTN DataSize
877 )
878 {
879 return EFI_UNSUPPORTED;
880 }
881
882 /**
883 Gets the protocol version used by the specified TLS connection.
884
885 This function returns the protocol version used by the specified TLS
886 connection.
887
888 If Tls is NULL, then ASSERT().
889
890 @param[in] Tls Pointer to the TLS object.
891
892 @return The protocol version of the specified TLS connection.
893
894 **/
895 UINT16
896 EFIAPI
897 TlsGetVersion (
898 IN VOID *Tls
899 )
900 {
901 TLS_CONNECTION *TlsConn;
902
903 TlsConn = (TLS_CONNECTION *)Tls;
904
905 ASSERT (TlsConn != NULL);
906
907 return (UINT16)(SSL_version (TlsConn->Ssl));
908 }
909
910 /**
911 Gets the connection end of the specified TLS connection.
912
913 This function returns the connection end (as client or as server) used by
914 the specified TLS connection.
915
916 If Tls is NULL, then ASSERT().
917
918 @param[in] Tls Pointer to the TLS object.
919
920 @return The connection end used by the specified TLS connection.
921
922 **/
923 UINT8
924 EFIAPI
925 TlsGetConnectionEnd (
926 IN VOID *Tls
927 )
928 {
929 TLS_CONNECTION *TlsConn;
930
931 TlsConn = (TLS_CONNECTION *)Tls;
932
933 ASSERT (TlsConn != NULL);
934
935 return (UINT8)SSL_is_server (TlsConn->Ssl);
936 }
937
938 /**
939 Gets the cipher suite used by the specified TLS connection.
940
941 This function returns current cipher suite used by the specified
942 TLS connection.
943
944 @param[in] Tls Pointer to the TLS object.
945 @param[in,out] CipherId The cipher suite used by the TLS object.
946
947 @retval EFI_SUCCESS The cipher suite was returned successfully.
948 @retval EFI_INVALID_PARAMETER The parameter is invalid.
949 @retval EFI_UNSUPPORTED Unsupported cipher suite.
950
951 **/
952 EFI_STATUS
953 EFIAPI
954 TlsGetCurrentCipher (
955 IN VOID *Tls,
956 IN OUT UINT16 *CipherId
957 )
958 {
959 TLS_CONNECTION *TlsConn;
960 CONST SSL_CIPHER *Cipher;
961
962 TlsConn = (TLS_CONNECTION *)Tls;
963 Cipher = NULL;
964
965 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (CipherId == NULL)) {
966 return EFI_INVALID_PARAMETER;
967 }
968
969 Cipher = SSL_get_current_cipher (TlsConn->Ssl);
970 if (Cipher == NULL) {
971 return EFI_UNSUPPORTED;
972 }
973
974 *CipherId = (SSL_CIPHER_get_id (Cipher)) & 0xFFFF;
975
976 return EFI_SUCCESS;
977 }
978
979 /**
980 Gets the compression methods used by the specified TLS connection.
981
982 This function returns current integrated compression methods used by
983 the specified TLS connection.
984
985 @param[in] Tls Pointer to the TLS object.
986 @param[in,out] CompressionId The current compression method used by
987 the TLS object.
988
989 @retval EFI_SUCCESS The compression method was returned successfully.
990 @retval EFI_INVALID_PARAMETER The parameter is invalid.
991 @retval EFI_ABORTED Invalid Compression method.
992 @retval EFI_UNSUPPORTED This function is not supported.
993
994 **/
995 EFI_STATUS
996 EFIAPI
997 TlsGetCurrentCompressionId (
998 IN VOID *Tls,
999 IN OUT UINT8 *CompressionId
1000 )
1001 {
1002 return EFI_UNSUPPORTED;
1003 }
1004
1005 /**
1006 Gets the verification mode currently set in the TLS connection.
1007
1008 This function returns the peer verification mode currently set in the
1009 specified TLS connection.
1010
1011 If Tls is NULL, then ASSERT().
1012
1013 @param[in] Tls Pointer to the TLS object.
1014
1015 @return The verification mode set in the specified TLS connection.
1016
1017 **/
1018 UINT32
1019 EFIAPI
1020 TlsGetVerify (
1021 IN VOID *Tls
1022 )
1023 {
1024 TLS_CONNECTION *TlsConn;
1025
1026 TlsConn = (TLS_CONNECTION *)Tls;
1027
1028 ASSERT (TlsConn != NULL);
1029
1030 return SSL_get_verify_mode (TlsConn->Ssl);
1031 }
1032
1033 /**
1034 Gets the session ID used by the specified TLS connection.
1035
1036 This function returns the TLS/SSL session ID currently used by the
1037 specified TLS connection.
1038
1039 @param[in] Tls Pointer to the TLS object.
1040 @param[in,out] SessionId Buffer to contain the returned session ID.
1041 @param[in,out] SessionIdLen The length of Session ID in bytes.
1042
1043 @retval EFI_SUCCESS The Session ID was returned successfully.
1044 @retval EFI_INVALID_PARAMETER The parameter is invalid.
1045 @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
1046
1047 **/
1048 EFI_STATUS
1049 EFIAPI
1050 TlsGetSessionId (
1051 IN VOID *Tls,
1052 IN OUT UINT8 *SessionId,
1053 IN OUT UINT16 *SessionIdLen
1054 )
1055 {
1056 TLS_CONNECTION *TlsConn;
1057 SSL_SESSION *Session;
1058 CONST UINT8 *SslSessionId;
1059
1060 TlsConn = (TLS_CONNECTION *)Tls;
1061 Session = NULL;
1062
1063 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (SessionId == NULL) || (SessionIdLen == NULL)) {
1064 return EFI_INVALID_PARAMETER;
1065 }
1066
1067 Session = SSL_get_session (TlsConn->Ssl);
1068 if (Session == NULL) {
1069 return EFI_UNSUPPORTED;
1070 }
1071
1072 SslSessionId = SSL_SESSION_get_id (Session, (unsigned int *)SessionIdLen);
1073 CopyMem (SessionId, SslSessionId, *SessionIdLen);
1074
1075 return EFI_SUCCESS;
1076 }
1077
1078 /**
1079 Gets the client random data used in the specified TLS connection.
1080
1081 This function returns the TLS/SSL client random data currently used in
1082 the specified TLS connection.
1083
1084 @param[in] Tls Pointer to the TLS object.
1085 @param[in,out] ClientRandom Buffer to contain the returned client
1086 random data (32 bytes).
1087
1088 **/
1089 VOID
1090 EFIAPI
1091 TlsGetClientRandom (
1092 IN VOID *Tls,
1093 IN OUT UINT8 *ClientRandom
1094 )
1095 {
1096 TLS_CONNECTION *TlsConn;
1097
1098 TlsConn = (TLS_CONNECTION *)Tls;
1099
1100 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (ClientRandom == NULL)) {
1101 return;
1102 }
1103
1104 SSL_get_client_random (TlsConn->Ssl, ClientRandom, SSL3_RANDOM_SIZE);
1105 }
1106
1107 /**
1108 Gets the server random data used in the specified TLS connection.
1109
1110 This function returns the TLS/SSL server random data currently used in
1111 the specified TLS connection.
1112
1113 @param[in] Tls Pointer to the TLS object.
1114 @param[in,out] ServerRandom Buffer to contain the returned server
1115 random data (32 bytes).
1116
1117 **/
1118 VOID
1119 EFIAPI
1120 TlsGetServerRandom (
1121 IN VOID *Tls,
1122 IN OUT UINT8 *ServerRandom
1123 )
1124 {
1125 TLS_CONNECTION *TlsConn;
1126
1127 TlsConn = (TLS_CONNECTION *)Tls;
1128
1129 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (ServerRandom == NULL)) {
1130 return;
1131 }
1132
1133 SSL_get_server_random (TlsConn->Ssl, ServerRandom, SSL3_RANDOM_SIZE);
1134 }
1135
1136 /**
1137 Gets the master key data used in the specified TLS connection.
1138
1139 This function returns the TLS/SSL master key material currently used in
1140 the specified TLS connection.
1141
1142 @param[in] Tls Pointer to the TLS object.
1143 @param[in,out] KeyMaterial Buffer to contain the returned key material.
1144
1145 @retval EFI_SUCCESS Key material was returned successfully.
1146 @retval EFI_INVALID_PARAMETER The parameter is invalid.
1147 @retval EFI_UNSUPPORTED Invalid TLS/SSL session.
1148
1149 **/
1150 EFI_STATUS
1151 EFIAPI
1152 TlsGetKeyMaterial (
1153 IN VOID *Tls,
1154 IN OUT UINT8 *KeyMaterial
1155 )
1156 {
1157 TLS_CONNECTION *TlsConn;
1158 SSL_SESSION *Session;
1159
1160 TlsConn = (TLS_CONNECTION *)Tls;
1161 Session = NULL;
1162
1163 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (KeyMaterial == NULL)) {
1164 return EFI_INVALID_PARAMETER;
1165 }
1166
1167 Session = SSL_get_session (TlsConn->Ssl);
1168
1169 if (Session == NULL) {
1170 return EFI_UNSUPPORTED;
1171 }
1172
1173 SSL_SESSION_get_master_key (Session, KeyMaterial, SSL3_MASTER_SECRET_SIZE);
1174
1175 return EFI_SUCCESS;
1176 }
1177
1178 /**
1179 Gets the CA Certificate from the cert store.
1180
1181 This function returns the CA certificate for the chosen
1182 TLS connection.
1183
1184 @param[in] Tls Pointer to the TLS object.
1185 @param[out] Data Pointer to the data buffer to receive the CA
1186 certificate data sent to the client.
1187 @param[in,out] DataSize The size of data buffer in bytes.
1188
1189 @retval EFI_SUCCESS The operation succeeded.
1190 @retval EFI_UNSUPPORTED This function is not supported.
1191 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
1192
1193 **/
1194 EFI_STATUS
1195 EFIAPI
1196 TlsGetCaCertificate (
1197 IN VOID *Tls,
1198 OUT VOID *Data,
1199 IN OUT UINTN *DataSize
1200 )
1201 {
1202 return EFI_UNSUPPORTED;
1203 }
1204
1205 /**
1206 Gets the local public Certificate set in the specified TLS object.
1207
1208 This function returns the local public certificate which was currently set
1209 in the specified TLS object.
1210
1211 @param[in] Tls Pointer to the TLS object.
1212 @param[out] Data Pointer to the data buffer to receive the local
1213 public certificate.
1214 @param[in,out] DataSize The size of data buffer in bytes.
1215
1216 @retval EFI_SUCCESS The operation succeeded.
1217 @retval EFI_INVALID_PARAMETER The parameter is invalid.
1218 @retval EFI_NOT_FOUND The certificate is not found.
1219 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
1220
1221 **/
1222 EFI_STATUS
1223 EFIAPI
1224 TlsGetHostPublicCert (
1225 IN VOID *Tls,
1226 OUT VOID *Data,
1227 IN OUT UINTN *DataSize
1228 )
1229 {
1230 X509 *Cert;
1231 TLS_CONNECTION *TlsConn;
1232
1233 Cert = NULL;
1234 TlsConn = (TLS_CONNECTION *)Tls;
1235
1236 if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (DataSize == NULL) || ((*DataSize != 0) && (Data == NULL))) {
1237 return EFI_INVALID_PARAMETER;
1238 }
1239
1240 Cert = SSL_get_certificate (TlsConn->Ssl);
1241 if (Cert == NULL) {
1242 return EFI_NOT_FOUND;
1243 }
1244
1245 //
1246 // Only DER encoding is supported currently.
1247 //
1248 if (*DataSize < (UINTN)i2d_X509 (Cert, NULL)) {
1249 *DataSize = (UINTN)i2d_X509 (Cert, NULL);
1250 return EFI_BUFFER_TOO_SMALL;
1251 }
1252
1253 *DataSize = (UINTN)i2d_X509 (Cert, (unsigned char **)&Data);
1254
1255 return EFI_SUCCESS;
1256 }
1257
1258 /**
1259 Gets the local private key set in the specified TLS object.
1260
1261 This function returns the local private key data which was currently set
1262 in the specified TLS object.
1263
1264 @param[in] Tls Pointer to the TLS object.
1265 @param[out] Data Pointer to the data buffer to receive the local
1266 private key data.
1267 @param[in,out] DataSize The size of data buffer in bytes.
1268
1269 @retval EFI_SUCCESS The operation succeeded.
1270 @retval EFI_UNSUPPORTED This function is not supported.
1271 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
1272
1273 **/
1274 EFI_STATUS
1275 EFIAPI
1276 TlsGetHostPrivateKey (
1277 IN VOID *Tls,
1278 OUT VOID *Data,
1279 IN OUT UINTN *DataSize
1280 )
1281 {
1282 return EFI_UNSUPPORTED;
1283 }
1284
1285 /**
1286 Gets the CA-supplied certificate revocation list data set in the specified
1287 TLS object.
1288
1289 This function returns the CA-supplied certificate revocation list data which
1290 was currently set in the specified TLS object.
1291
1292 @param[out] Data Pointer to the data buffer to receive the CRL data.
1293 @param[in,out] DataSize The size of data buffer in bytes.
1294
1295 @retval EFI_SUCCESS The operation succeeded.
1296 @retval EFI_UNSUPPORTED This function is not supported.
1297 @retval EFI_BUFFER_TOO_SMALL The Data is too small to hold the data.
1298
1299 **/
1300 EFI_STATUS
1301 EFIAPI
1302 TlsGetCertRevocationList (
1303 OUT VOID *Data,
1304 IN OUT UINTN *DataSize
1305 )
1306 {
1307 return EFI_UNSUPPORTED;
1308 }